Re: Application Insecurity --- Who is at Fault?

[Blue Boar <BlueBoar () thievco com>]

Michael Silk wrote:
> See, you are considering 'security' as something extra again. This is
> not right.

It is extra.  It's extra time and effort.  And extra testing.  And extra
backtracking and schedule slipping when you realize you blew something.
 All before it hits beta.

Any solution that ends up with us having "secure" software will
neccessarily need to address this step as well as all others.  The
"right" answer just might end up being "suck it up, and take the
resource hit."  It might be "switch to the language that lends itself to
you coding securly at 75% the productivity rate of sloppy coding."  I
don't know enough about the languages involved to participate in that
debate.

Strangely enough, for the last year and a half or so, I've been sitting
here being QA at a security product company.  Doing software right takes
extra resources.  I are one.

     Ryan